URL: | http://elcisneblanco.com/tmp/banking/details/bank.php |
Full analysis: | https://app.any.run/tasks/955fd2d8-2123-4bcc-91de-08e760e6a545 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 16:26:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 4DE491700DFB5A30481DC45F7DA6D41D |
SHA1: | EAFB56CE1F7C362276609964A8A12E0CE06A4B9A |
SHA256: | ACD4B6F116C16E3A6A41933825D694D104F57A55F55BCCC757669734CA0DD18E |
SSDEEP: | 3:N1KbIbiJiGGIKuMiMJNHtxn:C6iJi3ITMRNr |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2956 | "C:\Program Files\Internet Explorer\iexplore.exe" http://elcisneblanco.com/tmp/banking/details/bank.php | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3772 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:14337 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3180 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF.zip" "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF\" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
2212 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF\BANK DETAILS CONFIRMATION_PDF - Copy.js" | C:\Windows\System32\WScript.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
4024 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ljSULvdTZD.js" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
3964 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\BANK DETAILS CONFIRMATION_PDF - Copy.js" | C:\Windows\System32\wscript.exe | WScript.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Version: 5.8.7600.16385 | ||||
2592 | "C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ljSULvdTZD.js" | C:\Windows\System32\wscript.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 1 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0GB1FTM2\errorPageStrings[1] | text | |
MD5:1A0563F7FB85A678771450B131ED66FD | SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C | |||
2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061920190620\index.dat | dat | |
MD5:8EAB1E489F17498BADB415308841D084 | SHA256:2AC83D30DEB9937BE9874F5421100B5D5DB4B01D43A2F60A9C68E91E763ED848 | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:532DA8F79B647E806ABF9A34E82551DB | SHA256:216B3B45D53D2CD89EDC747E0A12B303D670A44F1D57A4EBAE701B1730CC43CB | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O2LCSF69\bank[1].htm | html | |
MD5:BBBF8DAAFBBA2F086075BEFBF38E6327 | SHA256:0305B9CDAE8792F5E096118FBD44C14DBEFA4B771F17BCF64DE68ED62F21285E | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAEE57Z7\dnserror[1] | html | |
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE | SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630 | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:EE24E79909F20BBAF5164EDF142EF9AA | SHA256:C2F3B1ECE19678DDBFDE63908A4B00686C2FE806BC8213FA50DB8A837B1985B2 | |||
3452 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAEE57Z7\noConnect[1] | image | |
MD5:3CB8FACCD5DE434D415AB75C17E8FD86 | SHA256:6976C426E3AC66D66303C114B22B2B41109A7DE648BA55FFC3E5A53BD0DB09E7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3452 | iexplore.exe | GET | 200 | 192.185.26.103:80 | http://elcisneblanco.com/tmp/banking/details/bank.php | US | html | 222 b | unknown |
3772 | iexplore.exe | GET | 200 | 192.185.163.240:80 | http://futuroformacion.es//moodle/calendar/amd/BANK%20DETAILS%20CONFIRMATION_PDF.zip | US | compressed | 35.0 Kb | unknown |
2956 | iexplore.exe | GET | 200 | 192.185.26.103:80 | http://elcisneblanco.com/favicon.ico | US | image | 3.50 Kb | unknown |
2956 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2956 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3964 | wscript.exe | 185.247.228.159:1765 | www.tcoolsoul.com | — | — | malicious |
2956 | iexplore.exe | 192.185.26.103:80 | elcisneblanco.com | CyrusOne LLC | US | unknown |
3772 | iexplore.exe | 192.185.163.240:80 | futuroformacion.es | CyrusOne LLC | US | unknown |
3452 | iexplore.exe | 192.185.163.240:80 | futuroformacion.es | CyrusOne LLC | US | unknown |
3452 | iexplore.exe | 192.185.26.103:80 | elcisneblanco.com | CyrusOne LLC | US | unknown |
Domain | IP | Reputation |
---|---|---|
elcisneblanco.com |
| unknown |
www.bing.com |
| whitelisted |
futuroformacion.es |
| unknown |
dns.msftncsi.com |
| shared |
brothersjoy.nl |
| unknown |
www.tcoolsoul.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3772 | iexplore.exe | Misc activity | ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns) |